In T367995#10013132, @Tgr wrote:

Do you mean the shared login domain specifically or the SUL3 project in general? (I'll file another security preview request about T363699: Determine and implement SUL 3 login handshake mechanism in a day or two, once I have PoC code. I think these are the two particularly security-sensitive parts of the project, the rest of the work is less interesting.)

Do you mean the shared login domain specifically or the SUL3 project in general? (I'll file another security preview request about T363699: Determine and implement SUL 3 login handshake mechanism in a day or two, once I have PoC code. I think these are the two particularly security-sensitive parts of the project, the rest of the work is less interesting.)

Hey @Tgr - I'd like to set up an initial threat-modeling/concept-review session (or two) for this work with you and any other relevant folks, this quarter. Are there any other technical folks that you're aware of who would likely be helpful during or interested in participating in such exercises? Thanks.

The configuration is now live in the beta cluster - the domain is not used for anything yet, but it works.
Example of an allowed request: https://sso.wikimedia.beta.wmflabs.org/en.wikipedia.beta.wmflabs.org/wiki/Special:UserLogin
Example of a disallowed request: https://sso.wikimedia.beta.wmflabs.org/en.wikipedia.beta.wmflabs.org/wiki/Main_Page

In T367995#9908992, @Reedy wrote:

Does this need to be security protected?

Updated list:

For Debian Bullseye, the following pip packages get installed to the Dagster venv:

For Debian Bullseye, the following packages get installed to the Superset venv:

Probably not? I used the link at https://www.mediawiki.org/wiki/Security/SOP/Security_Preview and that created it like that.

Does this need to be security protected?

There's a script in the internal frack "packages" repository that fetches the package and reports the portion of changelog associated with the latest package. The deb package is then added to the frack internal repository using "reprepro includedeb".

The basic install of dagster and its dependencies has been puppetized. Puppet also configures a pip-audit script to check for updates in the virtualenv and emails with success (clean audit) or an alert (patches are available). There's no project configuration in puppet yet, this part will be developed with BDC.

More on vulnerability tracking. This isn't awesome but:

https://github.com/minio/minio/security executive summary: watch the blog :-|

In T347576#9309071, @JFishback_WMF wrote:

JS was updated to sanitize the name being injected.

JS was updated to sanitize the name being injected.

We have concerns that the following code snippet from this feature contains a XSS that might be triggered by a malicious link opened by a user:

@sbassett Did AppSec review the JS to ensure that any parameters are scrubbed before injecting on the page?